Aithrex
Infratrix · The first product from Aithrex

Architecture-aware cloud optimization for AWS teams.

Infratrix connects to your AWS account, studies how your infrastructure actually runs, models the architecture as a connected graph, and proposes safe, engineering-ready improvements across cost and reliability.

Book a DemoSee use cases
Graph-groundedAWS-firstStay-within-stackTerraform-shaped

The bill says NAT. The architecture says VPC endpoint.

A NAT Gateway line item attracts attention. A per-resource tool can tell you the number is large; it cannot tell you that the traffic is going through NAT only because there is no VPC endpoint between your workload and an S3 bucket in the same region.

Infratrix reads your VPC, subnets, route tables, endpoints, and the actual flow logs as a connected graph. The proposal it returns is not “shrink the NAT” — it is a Terraform plan adding the missing gateway endpoint, with the route table and IAM changes that make it safe, and an inverse attached so it is reversible.

This is the difference between visibility and action: a dashboard that surfaces a number, versus a system that proposes the in-stack fix as engineering work your team reviews.

BEFORE · CURRENTAFTER · PROPOSEDVPC · 10.0.0.0/16workloadec2 · eksNAT GW$0.045 / GB egressS3 bucketin-region · us-east-1EGRESS LEAVES + RE-ENTERS AWSVPC · 10.0.0.0/16workloadec2 · eksVPC Endpointgateway · com.amazonaws.s3S3 bucketin-region · us-east-1TRAFFIC STAYS IN-STACK

Worked example · NAT egress → VPC endpoint

Three systems. One reasoning loop.

Infratrix is built around three coordinated layers: a collector that reads your account, a brain that reasons about it as a graph, and an actor that proposes safe, reviewable change.

Layer 01

Collector

An in-account agent that gathers infrastructure state, usage signals, pricing, and cost telemetry. Scoped IAM, read-first by default — no writes during discovery.
Layer 02

Brain

A knowledge graph of cloud resources, relationships, pricing, and architectural patterns. Reasoning traverses real paths through your infrastructure — not isolated line items.
Layer 03

Actor

Turns safe recommendations into engineering-ready actions. Trust levels per change class, scoped permissions, and stored rollback inverses for every plan.

Designed to land as a Terraform diff your team reviews.

Speed without safety is how outages happen. Infratrix’s execution model is review-first by construction: a plan you can read, an apply you can scope, and an inverse you can run.

plan · vpc-endpoint.tf+ 5 / − 1
  resource "aws_vpc_endpoint" "s3" {
+   vpc_id            = aws_vpc.main.id
+   service_name      = "com.amazonaws.${var.region}.s3"
+   route_table_ids   = [aws_route_table.private.id]
+   vpc_endpoint_type = "Gateway"
  }
 
  resource "aws_nat_gateway" "main" {
-   # egress for app-svc → s3 (in-region)
    # remains for non-S3 egress only
  }
How apply works
  1. 01

    Plan is rendered as a unified diff and reviewed by your team — no apply without explicit approval.

  2. 02

    Apply runs under a time-bounded, action-scoped IAM role you own and can revoke at any time.

  3. 03

    Every applied change writes an audit entry to your own log destination — Aithrex never keeps a side ledger.

  4. 04

    Each change carries its inverse — rollback is a known, tested operation, not a forensic exercise.

Built so the customer always holds the kill switch.

Trust is an engineering property, not a marketing claim. Every layer of Infratrix is designed so the safe path is the default, and the unsafe path is the explicit, reviewed exception.

Boundary

In-account by default

Agents run inside your AWS account. No third-party data plane holds your resource state. Workload data never leaves the account that owns it.
Access

Scoped IAM, least privilege

Discovery is read-only. Writes use tightly-scoped roles per action class. Every role is documented, reviewable, and revocable from your end.
Control

Customer-held kill switch

A single IAM revocation halts every Aithrex action across the account. No bypass paths, no shadow credentials — tested in every onboarding.
Evidence

Audit trail, no surprises

Every plan and apply is written to your audit log. Inverse operations attach to each change. Outbound traffic is limited to what the action needs.

Engineering teams responsible for non-trivial cloud spend.

Infratrix is built for AWS platform engineers, SREs, FinOps partners working alongside engineering, and the infrastructure leaders who sign off on production change. Teams running real architecture — not demo accounts.

You should not need to integrate a new monitoring product, change your IaC, or hand over write access on day one. The expected starting point is a read-only conversation about your account, followed by review-ready proposals on the paths that matter.

See Infratrix against your own AWS environment.

We’re onboarding early teams. If you’re running a non-trivial AWS bill and want a serious second opinion on your architecture, we’d like to talk.

Book a Demo